[IPsec] Discussion about solving ESP limitations with parallel processing, handling QoS classes etc.
Steffen Klassert <steffen.klassert@secunet.com> Wed, 26 October 2022 12:21 UTC
Return-Path: <Steffen.Klassert@secunet.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9722AC14F612 for <ipsec@ietfa.amsl.com>; Wed, 26 Oct 2022 05:21:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Vgx1hTI_gP1 for <ipsec@ietfa.amsl.com>; Wed, 26 Oct 2022 05:21:26 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB6AAC1524B2 for <ipsec@ietf.org>; Wed, 26 Oct 2022 05:21:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 40981201D3 for <ipsec@ietf.org>; Wed, 26 Oct 2022 14:21:21 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cj1Kfr6_QZx9 for <ipsec@ietf.org>; Wed, 26 Oct 2022 14:21:20 +0200 (CEST)
Received: from mailout1.secunet.com (mailout1.secunet.com [62.96.220.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 74BB120078 for <ipsec@ietf.org>; Wed, 26 Oct 2022 14:21:20 +0200 (CEST)
Received: from cas-essen-01.secunet.de (unknown [10.53.40.201]) by mailout1.secunet.com (Postfix) with ESMTP id 66C9C80004A for <ipsec@ietf.org>; Wed, 26 Oct 2022 14:21:20 +0200 (CEST)
Received: from mbx-essen-01.secunet.de (10.53.40.197) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 26 Oct 2022 14:21:20 +0200
Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-01.secunet.de (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Wed, 26 Oct 2022 14:21:19 +0200
Received: by gauss2.secunet.de (Postfix, from userid 1000) id 2E4753182D9E; Wed, 26 Oct 2022 14:21:19 +0200 (CEST)
Date: Wed, 26 Oct 2022 14:21:19 +0200
From: Steffen Klassert <steffen.klassert@secunet.com>
To: ipsec@ietf.org
Message-ID: <20221026122119.GA2602992@gauss3.secunet.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-ClientProxiedBy: cas-essen-02.secunet.de (10.53.40.202) To mbx-essen-01.secunet.de (10.53.40.197)
X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/E5M1OZHCjB8wJ8gbUzZdYWA4inM>
Subject: [IPsec] Discussion about solving ESP limitations with parallel processing, handling QoS classes etc.
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Oct 2022 12:21:30 -0000
Hi, over the last years, quite some work was done from different parties to overcome some limitations of ESP to handle parallel datapaths, QoS classes etc. Chronologically ordered, we have: November 2019: https://datatracker.ietf.org/doc/html/draft-mglt-ipsecme-multiple-child-sa-00 That was replaced in November 2020 by: htpps://datatracker.ietf.org/doc/draft-pwouters-multi-sa-performance/ At IETF 108 in July 2020 there was this proposal: https://datatracker.ietf.org/meeting/108/materials/slides-108-ipsecme-proposed-improvements-to-esp-01 October 2022: https://www.ietf.org/archive/id/draft-ponchon-ipsecme-anti-replay-subspaces-00.txt Aditionally, Google published the PSP Security Protocol (PSP) for datacenters in April 2022: https://github.com/google/psp All these proposals try to solve related problems in different ways. They all have pros and cons, but the number of proposals shows that there is a real need to solve these problems better sooner than later. So instead of creating even more proposals, we maybe should take a step back and try to do a clear problem statement. Based on that we then can rethink about possible solutions. The next possibiltiy to sit together for an 'in person' discussion would be at the IETF Meeting in London. Is there anyone interested in a sidemeeting about that topic? Steffen
- [IPsec] Discussion about solving ESP limitations … Steffen Klassert
- Re: [IPsec] Discussion about solving ESP limitati… Christian Hopps
- Re: [IPsec] Discussion about solving ESP limitati… Paul Ponchon (pponchon)